Apple releases FaceTime patch and iOS zero-day fixes

New bug fix releases for both iOS and macOS include the anticipated FaceTime patch for the serious eavesdropping flaw in group chats as well as fixes for two iOS zero-days.

Fixing the serious FaceTime group chat bug took longer than expected, but Apple patched the vulnerability and also addressed newly discovered iOS zero-days.

The FaceTime patch -- released as part of iOS 12.1.4 and macOS 10.14.3 on Thursday -- should fix the flaw that allowed the person initiating a call to hear audio from the recipient before the call was answered. Triggering the bug was caused by adding oneself to a group FaceTime call, which according to Apple's description caused "a logic issue" wherein "the initiator of a Group FaceTime call may be able to cause the recipient to answer."

Additionally, in the details of the FaceTime patch, Apple credited two people: Grant Thompson, a student at Catalina Foothills High School in Tucson, Ariz., and Daven Morris, a software developer based in Arlington, Texas, with reporting the issue.

Morris said he discovered the issue around the same time as Thompson and reported it to Apple on Jan. 27, according to an interview with The Wall Street Journal.

Thompson's mother Michele had attempted for more than one week to report the FaceTime bug to Apple and when her story was first reported, there were questions as to whether Thompson would receive anything via Apple's bug bounty for finding the issue.

Apple has not replied to requests for comment.

Apple zero-days

In addition to the FaceTime patch, iOS 12.1.4 brought fixes for two zero-day flaws discovered and reported by Clément Lecigne from Google's Threat Analysis Group, and Ian Beer and Samuel Groß of Google Project Zero.

The two bugs were memory corruption issues, one of which (CVE-2019-7286) allowed privilege escalation and affected both iOS and macOS, while the other (CVE-2019-7287) allowed code execution with kernel privileges and only affected iOS. Both flaws were actively exploited in the wild, according to Project Zero researchers, but it was not clear if iOS was targeted in both cases.

However macOS Mojave 10.14.3 was found to have another zero-day vulnerability which could allow an attacker to extract passwords, private keys and tokens from the local Keychain password manager of the current user. This issue was discovered by Linus Henze, an 18-year-old researcher from Germany and announced on Twitter on Feb. 3. Henze created what he called a simple app -- KeySteal -- that didn't require any special privileges to extract the data from Apple's Keychain. However, Henze said via Twitter that the issue was not fixed in macOS 10.14.3.

Dig Deeper on Application and platform security